Activating or not the 2FA for the VPN user profiles does not make any difference
Freshman Member
I activated 2FA for IPSec VPN users, then generated via the integrated wizard the android and windows configurations freshly.
There is no pop-up for the 2FA when connecting, even if the VPN user profiles have the 2FA activated.
When 2FA is activated via the web-based login, a popup window for the 2FA code appears. That does not appear for the VPN users when logging in, it just goes automatically and connects just as if 2FA option is not activated.
I tried the setup and configuration a few times in different ways, on different firmwares and configurations, and 2FA for VPN users does not seem to work properly.
All Replies
-
Hi @Zyxel_USG_User,
May I know if you followed the handbook to configure?
Topic "How to Use Two Factor with Google Authenticator for Admin Access"
Please note that Windows won't pop out the verification page, please enter the authentication website manually. If you don't enter the 2FA code within the valid time, the VPN will be disconnected.
Zyxel Melen0 -
The configuration of the IPSec VPN was done as following on a USG20W-VPN, under several firmware versions- the results are consistently the same:
- using the wizard in Express Mode, then downloading the .sswan file for Android, the ios client fiel for Apple, and the Windows client file.
- The VPN users are separately created, and are to be used only with the VPN. The Google 2FA is enabled on each of these user profiles.
This is what happens:
- On none of the clients, ⇒ not on Windows, not on Android, and not on Apple, there is no dialog for the 2FA code, AND
2. The clients get logged in without any popups or dialogs, whether they have 2FA enabled or not on the firewall, and no matter the client OS.
I would expect a dialog when the client logs in, with the 2FA. It does not happen on any client, and the 2FA is activated on the dedicated VPN user profiles, which are logged on no matter if 2FA is activated on the profile or not- passthrough style.
Scenario1:
VPNUser1 has 2FA with Google Auth enabled.
create the IPSec VPN files with the wizard, for Android, IOS, and Windows.
Logging in from all clients works, no 2FA is asked anywhere in the process.
Scenario2:
VPNUser1 has 2FA with Google Auth NOT enabled.
create the IPSec VPN files with the wizard, for Android, IOS, and Windows.
Logging in from all clients works.
There is no difference.
0 -
Automatic logging in… ok, but then traffic is flowing or not?
0 -
'Automatic' was eventually not the proper term, I deleted it from the previous comment.
Everything works fine, obviously- both cases.
Ticking the 2FA box for dedicated VPN profile users or leaving it unmarked does not make a difference.
I don't know whether this behaviour is wanted or not or it is called 'automatic login' because ot is generated by the device wizard, and therefore it just 'passes and works'. Either way, I just expect a 2FA dialog where I can put the actual code in, when I set the user accordingly to have 2FA.
The 2FA box ticking for the VPN users has no functionality whatsoever in my experiences mentioned above.
0 -
Automatic popup is possible only with ipsec vpn client from Zyxel.
But, with missing popup, the vpn should not work. Connected but without traffic flowing.
If in your case you say traffic flows, so 2FA is not active.
Is the setting active in all places?
-On user
-On 2FA main page, for the type of VPN
-On specific tunnel (only L2TP does not need this setting)
0 -
That is exactly what I use, IPSec VPN.
- I created 2 different users only for this purpose of testing this case.
2. no split tunneling needed.
3. I use the zyxel wizard to create the configurations for Android, IOS, Windows.
4. I test the clients and connections, everything works fine on each platform.
5. I activate the 2FA for the VPN users in Zyxel, set it up accordingly with Google Auth.
6. I create anew the clients with the zyxel wizard for Android, IOS, WIndows.
7. I distribute the fresh created configuration files, test the clients and connections, and everything works as good as in pt. 4. but no popup no dialog nothing resembling 2FA. Nothing, nada, niente.
My questions are:
- what is the purpose of ticking 2FA for the users dedicated for VPN, when it does not make any difference versus non-2FA?
- what is not working as it should, and when is it going to get fixed?
0 -
I just re-checked and tested. On the firewall, I activated 2FA for VPNuser1.
On the VPN Gateway, the 2FA is activated. That means that from now on, any VPN tunnel should ask for 2FA for the user profiles used.
Going on my smartphone, I can reconnect using the existing IPSec configuration which was created with the user VPNuser1 when it was without 2FA. That should not work
If 2FA has a 'meaning' for the IPSec configurations at all, it should not allow the IPSec tunnel without the 2FA. And that for ANY configuration, once 2FA is set.
I checked that 2FA is now activated on the firewall. The firewall is set to ask for 2FA for IPSec, the user has the 2FA enabled. But I still can use a configuration which was generated and used with VPNUser1 without 2FA.
I noticed something else strange as well- one can tick the 2FA box, but not activate the Google Auth 2FA. There is no check or co-dependency on the two. Until the Google Auth is activated on VPNuser1, it should not be possible to tick the 2FA box for the user. Makes me think that this may be the case in other settings as well….
Either way I look at it, 2FA with IPSec it is not properly configured and allows users to 'slip' by.
I use the admin logins via webbrowser (direct access) with 2FA since it was implemented and since it was working.
0 -
That is exactly what I use, IPSec VPN.
This is VPN type, but if your clients (Android, iOS, Windows) don't support 2FA popup, that popup will not appear.
I talked about Zyxel IPsec VPN client, a client from Zyxel: it supports automatic popup.
When I use, on Windows, Shrew Soft client, I open the tunnel and then in a browser open 2FA page.
But, if I don't open that page and enter code, the tunnel is only up (traffic does not flow).
If in your flows, situation is worse than "popup or not popup": 2FA is not working.
5. I activate the 2FA for the VPN users in Zyxel, set it up accordingly with Google Auth.
And this is goo, I ask again:
Is 2FA checkbox active in the other two places?
0 -
Yes, 2FA active in all places where ever VPN is mentioned, or the VPNuser names or groups.
0 -
the zyxel's own IPSec client which you mentioned is EOL per end of 2024 as I see.
0
Zyxel Employee
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 276 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
